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ilgun is an extension 
the Meterpreter 



Ulows Arbitrary Loading 
>f DLLs 

is long as you know the 
>ath of the DLL, you can 
Lccess it's functions 




nee Windows API DLLs 
e always at known 
iths, we can always 
ad them 




Dynamic access to the 
entirety of the Windows 
API on the system 

By calling APIs from user 
processes, we can 
impersonate users 

Anything becomes 
possible 
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June 2010 - Railgun submitted 
to Metasploit by Patrick HVE 

Sept 2010 - 64bit support 
added by Stephen Fewer 

Feb 201 1 - Chao-mu takes 
over Railgun support, resumes 
new feature work 

Fall 2011 - Chao-mu 
disappears 

Aug 20 12 -YOU start 
contributing to Railgun 

Dec 2012 - Mayans predict 
Railgun-related Apocalypse? 
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def self.create_dll(dll_path = 'advapi32') 
dll = DLL.new(dll_jpath J ApiConstants. manager) 

dll.add_function('CredEnumerateA', 'BOOL', [ 
['PCHAR', 'Filter', 'in'], 
['DWORD', 'Flags', 'in'], 
['PDWORD', 'Count', 'out'], 
['PBLOB', 'Credentials', 'out']]) 



A look at Railgun Definitions 



If it quacks like a duck . . 

Pass as a Fixnum or 
Bignum 

String representation of 
constants can also be 



passed in 




Pointer to a DWORD 

Pass a Fixnum 

Pass the Content of the 
DWORD not the pointer 

If it is an OUT only 
paramter, pass a 4 (size 



of a DWORD) 




Pass nil for a NULL 
Pointer 





Pass as Ruby strings. Will 
be converted seamlessly 

If OUT only, pass fixnum 
of the size of the buffer 



(including null byte) 




Definition 

dll . add_function( 

'CryptAcquireContextW, 
'BOOL',[ 

[TDWORD*, phProv', 'out'], 

['PWCHAR', 'pszContainer', 
'in'] , 

['PWCHAR' , 'pszProvider', 'in'], 
['DWORD', 'dwProvType', *in*], 
['DWORD', 'dwflags', 'in']]) 



Used in the SmartFTP password Recovery- 



Usage 

ms_enhanced_prov = "Microsoft 
Enhanced Cryptographic 
Provider v 1.0" 

prov_rsa_full = 1 

crypt_verify_context = 

OxFOOOOOOO 

alg_md5 = 32771 

alg_rc4 = 26625 

advapi32 = 

client . railgun . advapi32 

acquirecontext = 

advapi32 . CryptAcquireConte 
xtW( ,nil, 
ms_enhanced_jprov, 
prov_rsa_full, 
crypt_verify_context) 



Pass in Ruby True/False 
values exactly as expected 




Definition: 

dll.add_function( IsDebuggerPresenf, ? BOOL f ,[]) 
Usage: 

> > client . railgun. ker nel32 . IsDebuggerPresent () 
=> {"GetLastError"=>0, "return" =>false} 





Handled the same as 
DWORDs but Fixnums 
passed in will be 
truncated to the 
appropriate length 
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Anything that's not a 
string or a DWORD 

Treated as a ruby string 

Railgun will not help you 
parse structures 



Definition 

dll . add_f unction ( 

'WlanGetProfile', 'DWOED',[ 

['DWORD', 'hClientHandle', 'in'], 

['PBLOB', 'plnterfaceGuid', 'in'], 

['PBLOB', 'strProfileName', 'in'], 

['LPVOID', 'pReserved, 'in'], 

['PDWORD', 'pstrProfileXML', 
'out'] , 

['PDWORD', 'pdwFlags', 'inout'], 

['PDWORD', 'pdwGrantedAccess', 
•out']]) 



Used in the wlan_profile post module 



Usacre 



profile ['name'] = 

@host_process . memory . re 
ad(ppointer, 512) 

ppointer = (ppointer + 516) 



rprofile = 

@wlanapi.WlanGetProfile( 
wlan_handle,guid,profile [ ? n 

ame f ],nil,4,4,4) 



Pointers and Handles of 
any kind are really just 
numbers, so treat them 
as DWORDs 

If it can be treated as a 
number it's a DWORD 

Otherwise it's a PBLOB 



If neither works, add 
support for it yourself =) 
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The function will return a 
hash 

Hash will always contian at 
least GetLastError 




Hash will return any OUT 
values 







Will return if there was no 
error 

Otherwise will contain the 
windows system Error code 
encountered 

Errors codes can be looked 
up at 

http : //msdn ■ microsoft . com/ 
en- 

us/library/windows/deskto 
D/ms68 1 38 1 fv=vs.85VasDx 
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acquirecontext = 

advapi32 . CryptAcquireC 
ontextW(4, nil, 



ms_enhanced_prov, 

»rov_rsa_full, 
crypt_verify_context) 




createhash = 

advapi32 . CryptCreateHas 
h (acquirecontext [ phPro 

], alg_md5, 0, 0, 4) 
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Complex structure types 
that you will have to parse 
yourself 

Strings you don't know the 
length of 

Large number of string 
reads (SLOWWWW) 
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Anything you can do with 
the windows API is available 

Without increasing the size 
of the payload 




Get the OS to Decrypt 
stored SmartFTP Passwords 

Enumerate and decrypt 
stored RDP passwords 

Scan for Wireless Aps 

Enumerates Domain 
controllers on the victim's 
network 
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Enough of these ugly slides 
Let's see it in action 




